Pinging via vpn interface when using source ip address

# ip -4 address show dev wg0
13: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 192.168.11.2/24 brd 192.168.11.255 scope global wg0
       valid_lft forever preferred_lft forever
# ping 192.168.11.1 -c 3
PING 192.168.11.1 (192.168.11.1): 56 data bytes
64 bytes from 192.168.11.1: seq=0 ttl=64 time=83.061 ms
64 bytes from 192.168.11.1: seq=1 ttl=64 time=82.381 ms
64 bytes from 192.168.11.1: seq=2 ttl=64 time=82.321 ms

--- 192.168.11.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 82.321/82.587/83.061 ms
# ping -I wg0 1.1.1.1 -c 3
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=60 time=84.100 ms
64 bytes from 1.1.1.1: seq=1 ttl=60 time=83.621 ms
64 bytes from 1.1.1.1: seq=2 ttl=60 time=83.660 ms

--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 83.621/83.793/84.100 ms
# ping -I 192.168.11.2 1.1.1.1 -c 3
PING 1.1.1.1 (1.1.1.1) from 192.168.11.2: 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=60 time=25.960 ms
64 bytes from 1.1.1.1: seq=1 ttl=60 time=25.760 ms
64 bytes from 1.1.1.1: seq=2 ttl=60 time=25.860 ms

--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 25.760/25.860/25.960 ms

wg0 is not default route. I expected that when pinging using the ip address of vpn interface as the source, traffic will go through the vpn interface. This is bug or am I wrong?

I'm lost, are you asking how to ping using a certain Source IP.

If so you do:

ping -I <IP_ADDRESS> 1.1.1.1 -c 3

So?

No, it should go according to your routing tables.

If you never setup your routes, that's a wrong conclusion you've made.

ip route get <destination IP address>

Routing is, in general, based only on the destination address, not the source.

2 Likes

Explanation of my post.

Mikrotik routeros:

[admin@[REDACTED]] > /tool traceroute interface=pppoe-out1 address=1.1.1.1
 # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST STD-DEV STATUS
 1 [REDACTED]                         0%   14   0.9ms     1.3     0.9     2.4     0.5
 2 [REDACTED]                         0%   14   1.1ms     1.4       1     3.7     0.7
 3 195.208.209.132                    0%   14  25.5ms    25.7    25.4    28.4     0.8
 4 195.208.209.7                      0%   14  26.2ms    26.2    26.1    26.5     0.1
 5 1.1.1.1                            0%   14  26.5ms    26.3    26.1    26.7     0.2

[admin@[REDACTED]] > /tool traceroute interface=ether2 address=1.1.1.1
 # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST STD-DEV STATUS
 1 [REDACTED]                         0%    4   1.7ms     6.1     1.5    18.9     7.4
 2 193.106.112.5                      0%    4  43.7ms    29.8    23.2    43.7     8.4
 3 195.208.209.7                     25%    4  24.5ms    24.7    24.4    25.2     0.4
 4 1.1.1.1                            0%    4  23.8ms    23.9    23.7    24.2     0.2

In Windows it also works.

No, it will go via the default gateway with the specified source IP address.
If you want it to go out of the vpn interface, you need to use the vpn interface as source, like you did in the mikrotik and in the second ping.

OpenWrt utilizes source-routing for IPv6 default route by default.
So the paths for local and forwarded traffic may differ, as well as the paths for different sources.

ip -6 route get DST_ADDR from SRC_ADDR
3 Likes
# ip -6 route get 2001:4860:4860::8888
RTNETLINK answers: Permission denied

Most likely you don't have IPv6-connectivity.
Many ISPs still don't provide it.

# ip -6 route show default
default from 2a02:2698:9023:407d::/64 via fe80::ea4:2ff:fe17:7801 dev pppoe-wan proto static metric 512 pref medium
# ping 2001:4860:4860::8888 -c3
PING 2001:4860:4860::8888 (2001:4860:4860::8888): 56 data bytes
64 bytes from 2001:4860:4860::8888: seq=0 ttl=46 time=43.280 ms
64 bytes from 2001:4860:4860::8888: seq=1 ttl=46 time=43.240 ms
64 bytes from 2001:4860:4860::8888: seq=2 ttl=46 time=43.640 ms

--- 2001:4860:4860::8888 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 43.240/43.386/43.640 ms

That means default route is limited to the prefix above.
You should add another default route for all prefixes:
https://openwrt.org/docs/guide-user/network/protocol.dhcp#default_ipv6_route

/etc/config/network

config route6
        option interface 'wan_6'
        option source 'OPTIONAL_PREFIX'
        option target '::/0'
        option gateway 'fe80::ea4:2ff:fe90:2c01'

No changes in 'ip -6 route show'

default from 2a02:2698:9024:9af8::/64 via fe80::ea4:2ff:fe90:2c01 dev pppoe-wan proto static metric 512 pref medium
2a02:2698:9024:9af8::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2a02:2698:9024:9af8::/64 dev lo proto static metric 2147483647 error 4294967148 pref medium
fd22:1111:1111::/64 dev br-lan proto static metric 1024 pref medium
fd22:11111:1111:10::/60 dev wg0 proto kernel metric 256 pref medium
unreachable fd22:1111:1111::/48 dev lo proto static metric 2147483647 error 4294967148 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev gre4-gre0 proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/10 dev pppoe-wan metric 1 pref medium
fe80::/10 dev pppoe-wan proto kernel metric 256 pref medium

'OPTIONAL_PREFIX' need to be my value? Anyway i didn't understand why 'ip -6 route get' doesn't work. I have native ipv6 via dhcp-pd.

Work now.

# ip -6 route get 2001:4860:4860::8888
2001:4860:4860::8888 from :: via fe80::ea4:2ff:fe17:7801 dev pppoe-wan proto static src 2a02:2698:9023:40a4::1 metric 1024 pref medium

But i can't save this config because all these addresses is dynamic.
Is this the wrong configuration from openwrt or my ISP?

You can utilize hotplug to trigger the script when WAN6-interface becomes ready:
https://openwrt.org/docs/guide-user/base-system/hotplug
And no need to commit the changes to write into config, let it apply in the runtime.

Sorry, my IPv6 is not completely native, so no idea.
However, it should be automatic in case of native IPv6 with proper prefix delegation.

I checked again and this is same way as openwrt do by default. 'ip -6 route get' only works if i create default route without source.

In some cases the source IPv6-address for outgoing connections is ::/128, which is unspecified address:

I've recently experienced this issue trying to set up IPv6 from tunnelbroker.net.

1 Like

Yes, you should specify which address you want to use as source (from) when you are looking up a source-specific route.

ip route get 2001:4860:4860::8888 from <ipv6 address>

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.